DHS Alert on Dragonfly APT Contains IOCs, Rules Likely to Trigger False Positives

[Exterminator]

A joint Technical Alert, TA17–293A, released over the weekend by the FBI and Department of Homeland Security describing the activities of a Russian APT may contain signatures and rules likely to trigger false positives in some security systems.

The alert, made available Saturday morning, dissects the activity of the Dragonfly APT, also known as Energetic Bear, Crouching Yeti and a host of other nicknames. The group targets energy sector and other critical utilities including nuclear, as well as government agencies and manufacturing.

DHS goes into great detail about the group’s activities, how it infiltrates organizations and what it’s after. It also provides a laundry list of network- and host-based signatures, as well as a YARA ruleset for the malware used by this group.

YARA expert Florian Roth warned within hours of the release that some of the IOCs and YARA rules were flawed and could cause a wave of unnecessary alerts for admins.

This situation harkens back to the Grizzly Steppe report of last December which connected the Russian-speaking APT Sofacy, or Fancy Bear, to attacks against a number of 2016 election-related targets.

That report too was criticized, and admins were advised by a number of security companies not to use the indicators because of the potential for false positives. Some of the indicators in the December report associated with Sofacy included rules for Yahoo email, for example, which some groups use as a means for command and control communication.

This week’s report, Roth points out, contains a few similar issues, most notably around PsExec, a well-known Windows sysinternals utility. Roth said there were two signed hashes for PsExec among the IOCs and YARA rules that would trigger false positives.

“This is no problem, as long as a human reads and pre-qualifies the IOCs before bringing them into production,” Roth wrote in an analysis published on Medium. “The two listed versions of PsExec could be an indicator of compromise if an organisation forbids the use of PsExec or can be certain that the listed versions are not used by the system administrators (both is rather unlikely).”

Roth has redone the YARA rules and made them available to anyone.

“We do not recommend the usage of the original rules in a production environment, because they will result in false positives,” said Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team. “Instead, we recommend Florian’s rules, which are of much higher quality, after his polishing.”

The joint technical alert meanwhile warns that the U.S. government is aware of victims in the targeted industries. It describes the stages of these respective attacks, characterized by the compromise of smaller, less-protected networks and lateral movement toward more high-value networks within energy in particular.

“Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign,” the alert said.

The alert said that since May, victims in these industries have been targeted and some compromised. The goal, the alert said, is most often espionage. Groups targeting these industries are hoping to learn more about these networks and industrial processes for either financial gain or to disrupt them in the event of a conflict.

“This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks,” the alert said. “The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. The ultimate objective of the cyber threat actors is to compromise organizational networks.”

The alert points out that the APT uses spear phishing and watering hole attacks to compromise victims’ machines. The group also has a number of endpoint and ICS exploits at its disposal, and is intent on gathering credentials that can be used in further attacks.

The use of staging targets, most in the supply chain, extends a growing trend of these types of attacks that peaked earlier this year with the use of Ukrainian software MeDoc to spread the NotPetya wiper malware.